Log Management…and Beyond

January 20th, 2011

Log management is one of those topics that is hard to make “sexy” or exciting. Logs are, after all, well…logs. However, I think the log management industry has reached a point of maturity where we can all say with some confidence that collecting logs and analyzing them SOMEHOW is a best practice of sorts. Whether to “check the box” (yuck) or truly try to get some value from them, we’re all doing more log capture, retention, and analysis than ever before. For what it’s worth, I think log management is actually one of those areas in security/compliance that easily crosses over into IT operations, and ultimately provides benefits to IT Ops and Security simultaneously (or can). Can we detect changes or events with logs? Possibly, thus providing another element of intrusion detection or incident response. Can logs help in troubleshooting and tuning the environment/infrastructure? Yes, in many cases. Logs can also have real business value – what are people using technology for, and how? What kinds of activities are going on, and how can organizations iteratively refine their IT operations (whether for customers, partners, or employees) over time? Logs can be useful here. So I’m a fan of logs. The caveat, of course, being that you have to DO something with the data you’re collecting.

Every year, I help coordinate and contribute to the SANS Log Management Survey. Sponsored by a number of log management vendors, the survey asks a lot of questions about how people are using their log data. What types of solutions do you have, commercial or homegrown? How much data are you gathering, and why? What are the most practical uses of log data in your environment? This is good data to know, for the industry and practitioners alike. Vendors can learn what people really want, and what people are disenchanted with as well. Practitioners can learn how others are using logs, and gather useful information for making business cases about log management operations and products/solutions. To be effective, the survey needs input! If you have any involvement with log management in your organization, please consider taking the survey – it’ll only take 5-10 minutes max, promise.